Netty HTTP/2 Server Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Netty's HTTP/2 server implementation, present in versions prior to 4.1.132.Final and 4.2.10.Final. The issue arises because the server does not limit the number of 'CONTINUATION' frames it can receive. Remote users can exploit this by sending a large number of 'CONTINUATION' frames with zero-byte payloads, bypassing existing size-based protections. This flood of frames leads to excessive CPU usage, causing the server to become unresponsive while using minimal bandwidth.

Impact

Exploitation of this vulnerability leads to high CPU consumption on the server, causing it to become unresponsive and unavailable to legitimate users.

Reproduction

The vulnerability can be reproduced by sending a stream of 'CONTINUATION' frames with zero-byte payloads to a Netty HTTP/2 server. The server will process these frames without enforcing a limit on their quantity, allowing the attacker to monopolize a CPU thread and disrupt normal service.

Remediation

Users can upgrade to Netty versions 4.1.132.Final or 4.2.12.Final to address this vulnerability.